EQL

Cheatsheet

1. Basic Query Format

Start with an event type followed by a where clause for conditions.

2. Filtering

Use where to filter results based on a condition.

3. Event Joining

Use sequence to correlate events in a sequence.

4. Time Constraints

Use until and within to define time constraints between sequence events.

5. Event Type Definition

Define event types to filter on specific log types.

6. Field Comparisons

Use field comparisons to correlate fields within and across events.

7. String Functions

Use string functions like concat, substring, etc., for string operations.

8. Mathematical Operations

Use mathematical operations like +, -, *, / for calculations.

9. Logical Operators

Use logical operators like and, or, not for complex conditions.

10. Pipe Operations

Use `|` to perform operations like filtering, sorting, and counting on the query results.

Examples for Detection Query in EQL

1. Basic Query

process where process_name == "cmd.exe"

2. Event Sequence

sequence by host.id
    [process where process_name == "cmd.exe"]
    [network where process_name == "cmd.exe" and port == 80]

3. Time Constraint

sequence by host.id
    [process where process_name == "cmd.exe"]
    [network where process_name == "cmd.exe" and port == 80] within 1m

4. Field Comparison

sequence by host.id
    [process where process_name == "cmd.exe"]
    [network where process_name == "cmd.exe" and port == 80 and process.pid == process.parent_pid]

5. String Concatenation

process where concat(process_name, " ", process.args) == "cmd.exe /c"

6. Logical Operator

process where process_name == "cmd.exe" and not user.name == "SYSTEM"

7. Mathematical Operation

file where file.size + 100 > 2000

8. Event Type Definition

file where opcode == "create" and file.extension == "exe"

9. Pipe and Count

process where process_name == "cmd.exe"
| count

10. Pipe and Unique Count

process where true
| unique_count user.name

11. Pipe and Sort

process where true
| sort process.start_time desc

12. Pipe and Filter

process where true
| filter process_name == "cmd.exe"

13. Pipe and Head

process where true
| head 5

14. Pipe and Tail

process where true
| tail 5

15. Subquery

process where process_name == "cmd.exe" and
    [file where file_name == "evil.exe"]

16. Wildcard Usage

process where process_name like "svchost.*"

17. Case Insensitive Match

process where process_name : "Cmd.ExE"

18. Length Function

process where length(process_name) > 5

19. Number Function

process where number(process_name) == 123

20. Array Function

process where array_length(process.args) > 2

PreviousKQL Nexteventvwr

Last updated 1 year ago

EQL

Cheatsheet

1. Basic Query Format

Start with an event type followed by a where clause for conditions.

2. Filtering

Use where to filter results based on a condition.

3. Event Joining

Use sequence to correlate events in a sequence.

4. Time Constraints

Use until and within to define time constraints between sequence events.

5. Event Type Definition

Define event types to filter on specific log types.

6. Field Comparisons

Use field comparisons to correlate fields within and across events.

7. String Functions

Use string functions like concat, substring, etc., for string operations.

8. Mathematical Operations

Use mathematical operations like +, -, *, / for calculations.

9. Logical Operators

Use logical operators like and, or, not for complex conditions.

10. Pipe Operations

Use `|` to perform operations like filtering, sorting, and counting on the query results.

Examples for Detection Query in EQL

1. Basic Query

process where process_name == "cmd.exe"

2. Event Sequence

sequence by host.id
    [process where process_name == "cmd.exe"]
    [network where process_name == "cmd.exe" and port == 80]

3. Time Constraint

sequence by host.id
    [process where process_name == "cmd.exe"]
    [network where process_name == "cmd.exe" and port == 80] within 1m

4. Field Comparison

sequence by host.id
    [process where process_name == "cmd.exe"]
    [network where process_name == "cmd.exe" and port == 80 and process.pid == process.parent_pid]

5. String Concatenation

process where concat(process_name, " ", process.args) == "cmd.exe /c"

6. Logical Operator

process where process_name == "cmd.exe" and not user.name == "SYSTEM"

7. Mathematical Operation

file where file.size + 100 > 2000

8. Event Type Definition

file where opcode == "create" and file.extension == "exe"

9. Pipe and Count

process where process_name == "cmd.exe"
| count

10. Pipe and Unique Count

process where true
| unique_count user.name

11. Pipe and Sort

process where true
| sort process.start_time desc

12. Pipe and Filter

process where true
| filter process_name == "cmd.exe"

13. Pipe and Head

process where true
| head 5

14. Pipe and Tail

process where true
| tail 5

15. Subquery

process where process_name == "cmd.exe" and
    [file where file_name == "evil.exe"]

16. Wildcard Usage

process where process_name like "svchost.*"

17. Case Insensitive Match

process where process_name : "Cmd.ExE"

18. Length Function

process where length(process_name) > 5

19. Number Function

process where number(process_name) == 123

20. Array Function

process where array_length(process.args) > 2

PreviousKQL Nexteventvwr

Last updated 1 year ago